Duties of the Data Protection Officer

Knowing that you may need a DPO is one thing, but what does a DPO actually do?

Firstly, the DPO is NOT responsible or accountable for GDPR compliance. This duty falls on the organisation itself.

The DPO is there to assist the organisation in maintaining data protection compliance. They should offer expert advice, support data protection impact assessments and audits and act as the intermediary between data subjects, the organisation’s business units and the supervisory authority. The DPO will front and centre in the event of a data breach and must have deep understanding of the organisation’s data protection. The DPO’s contact details must be publicly available for data subjects to access, e.g. on the “Privacy Policy” page of a website, and employees should know who the DPO is and how to engage with them.

Day to day, the DPO is the internal authority on data protection guidance for all activities involving personal data. Any new project, architecture, design or plan that includes personal data should have the input from the DPO. In turn, availability of the DPO for all teams is essential. The DPO’s guidance does not necessarily need to be followed, but if it is not, then this should be explicitly documented as to why and the risk assessment made. The DPO can sit in any business unit where there isn’t a conflict of interest, and must have a direct feed into the top level of management.

The volume of work required from a DPO will vary from organisation to organisation. A smaller company may require one or two days of DPO input per month. Another may require a full time DPO with a large supporting team underneath them. Under resourcing the DPO role would be a very careless mistake, especially if the regulator comes knocking.

Crucially, the DPO must be a true expert on the GDPR. Whether they are a trained lawyer, Compliance Manager or external consultant, they need to know GDPR inside out and how to comply with it in the real world. No specific qualification is required for a DPO, but in addition to expert GDPR knowledge they must also have strong skills in Information Security, Project Management, Business and organisational nuances for administrative rules and procedures.

Summary

The DPO is your expert GDPR advisor, ready to work with project teams assessing compliance and happy to face the supervisory authority in the event of a data security breach. The DPO has a wide skill set and reports directly to the executive board.

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.